Counterproductive Security Measures

The base computer network seemingly doesn’t trust any security certificates from any signing authority other than Verisign. This means that every web site that uses any other registrar (which is to say, a truly stupendous number of sites) gets an error message that the site’s security certificate cannot be verified to a trusted issuer. This happens with my company timecard system, as one rather important example. Since the network doesn’t trust Entrust or others, this means there is no way to be sure that the sites I connect to which are not Verisign-approved are real sites or phishing expeditions. This means that every site which is not Verisign-approved is a giant red beacon of “ignore this security warning because it’s really not a problem after all.” Every non-Verisign site adds one more item to the list of things to ignore which good security practices tell you NOT to ignore.

Although the Air Force has decided (for reasons which escape me) to allow Youtube and Facebook access on-base (but not Google Plus or even Google Calendar), this week Flash is broken. This is a security configuration issue, as the flashing error bar on the top of the page says the addon has been disabled, not that Flash is literally broken. So, one more flashing error bar to add to the list.

Again, this just encourages users to assume that every error message is, in fact, in error itself. If we get inundated with false positives, we are being trained to ignore actual positives. This also applies to the wave of “helpful” messages which greet us whenever we log in; I challenge any user here at Goodbuddy to honestly claim they read those every time they log into the network. Just more noise to ignore, and train people to ignore all messages because most of them are trivia or wrong.